b"                           U.S. NUCLEAR REGULATORY COMMISSION\n\n                                                                                   NUREG/BR-0304\xe2\x80\x94August 2003\n\n                                                                                   Volume 1, Number 1\n\n\n\n\n                        OIG Information Digest\n  Inside this issue:\n                                 Introduction\n  Introduction             1\n                                 The Inspector General\xe2\x80\x99s Office has        \xe2\x80\xa2   Scams that can affect your personal\n                                 renamed this publication from OIG             life,\n  Use of the Internet      1-3   Fraud Bulletin to OIG Information Di-     \xe2\x80\xa2   More information on identity theft,\n                                 gest. This change reflects that we        \xe2\x80\xa2   How to protect yourself and your\n                                 have broadened the scope of the               home,\n  NRC Employees and      4\n  Contractors Using Com-         publication to include topics beyond      \xe2\x80\xa2   Trends of our current and past in-\n  puters to Download             the subject of fraud.                         vestigations, and\n  Pornography                                                              \xe2\x80\xa2   Summaries of some of the more\n  Beware of Travel Fraud   4-5   In this and future issues, topics may         prevalent cases of wrongdoing that\n                                 include:                                      occur within NRC and other agen-\n                                                                               cies.\n  OIG Audit Program        5     \xe2\x80\xa2   The operation and purpose of this\n                                     office,                               We hope this information will prove\n                                 \xe2\x80\xa2   Audits and investigations of inter-   valuable to you in your professional and\n  OIG Investigative Pro-   7\n  gram                               est,                                  personal life.\n                                 \xe2\x80\xa2   Do\xe2\x80\x99s and don\xe2\x80\x99ts in the workplace,\n\n\n                                 Use of the Internet\n                                 The use of the Internet in     has replaced the tele-\n                                 the workplace and associ-      phone as the primary\n                                 ated privacy concerns rep-     and preferred method of\n Special points of               resent one of the more         business communication\n    interest:                    troubling issues of our        for those with Internet\n                                 time. While the Internet is    access.1\n\xe2\x80\xa2 Audit News\n                                 fast and inexpensive, Inter-\n\xe2\x80\xa2 Investigative News             net usage can pose signifi-    The Internet provides\n                                 cant risks if it is not man-   computer access to an\n\xe2\x80\xa2 Do\xe2\x80\x99s and Don\xe2\x80\x99ts Concerning     aged or is abused. The         ever-expanding store-        ties. However, along\n  Internet Use                   various forms of Internet      house of electronic infor-   with tremendous ad-\n                                 activity have become in-       mation through the mass      vantages, the Internet\n                                 grained in most corporate      connection of networked      provides access to a\n                                 cultures. Today, roughly 90    computers. Use of the        wide variety of informa-\n                                 million business workers in    Internet offers tremen-      tion that may not be\n                                 the United States (about       dous capabilities to em-     consistent with busi-\n                                 two-thirds of all workers)     ployees in terms of ac-      ness needs and may\n                                 and about 120 million          cess to a wide variety of    be harmful or inappro-\n                                 workers outside the U.S.       information sources rele-    priate for the work\n                                 use the Internet. E-mail       vant to their official du-   place. Abuse, misuse,\n\x0cPage 2                                                                                          OIG Information Digest\n\n\n\n\nInternet Use        (cont. from page 1)\n\n\nand overuse by employees can in           more than three-quarters of major\n                                          U.S. firms (almost 78 percent) re-    use does not interfere with offi-\negregious cases:\n                                                                                cial business and involves mini-\n\xe2\x80\xa2 Leave employers vulnerable              cord and review employee com-\n                                          munications and activities on the     mal or no additional expense to\n   to lawsuits (downloading of\n                                          job, including Internet use. This     the Government. This limited\n   sexually explicit material has\n                                          figure has doubled since 1997.        personal use is to be performed\n   been viewed as creating a\n                                          Based on                              on the employee\xe2\x80\x99s non-work\n   hostile work environment);\n                                                                                time. The policy also outlines\n\xe2\x80\xa2 Introduce various security is-          recent Gov-\n                                          ernment au-                           the following inappropriate per-\n   sues, such as the release of\n                                          dit reports,                          sonal uses of Government of-\n   confidential, proprietary, or\n                                          there is                              fice equipment:\n   otherwise sensitive informa-\n   tion, or a download of unli-           compelling\n                                          evidence of                           \xe2\x80\xa2   Any personal use that could\n   censed software or viruses;\n                                                                                    cause congestion, delay, or\n\xe2\x80\xa2 Cause a decline in employee             the same\n                                          need for                                  disruption of service to any\n   productivity; and\n                                          surveillance in the Federal Gov-          Government system or\n\xe2\x80\xa2 Strain network resources.                                                         equipment;\n                                          ernment.\nImplementing a comprehensive\nInternet usage policy clarifies us-       A Privacy Foundation\n                                          study found that many                      \xe2\x80\xa2 Downloading of mali-\nage guidelines and directives de-\n                                          employers regularly                        cious files and vulnerable\nsigned to inform and educate em-\nployees about proper practices            monitor employee e-mail       When users log into NRC\xe2\x80\x99s LAN they\nwith regard to Internet activity.         and Web surfing.4 Moni-       see the following language:\n                                          toring refers to the man-\nOrganizations also adopt techni-          agement policies, proc-       !USE OF THIS COMPUTER\ncal measures, including:                  esses, and supporting         CONSTITUTES A CONSENT TO\n                                          technology for ensuring       MONITORING.\n1) Tools to monitor Internet activ-       compliance with organ-\nity to enforce policy and identify        izational and agency pri-     Anyone who violates security\noffenders,                                vacy guidelines and the       regulations or makes unauthorized use\n                                          ability to exhibit due dili-  of Federal computer systems is subject\n2) Antivirus utilities to protect         gence. Monitoring also        to criminal prosecution and/or\n                                          refers to the conduct of      disciplinary action.\nagainst malicious code at all po-\ntential points of infection,              internal and external in-\n                                          dependent reviews and\n3) Secure e-mail solutions to pro-        audits to ensure compli-\n                                          ance with legislation and regula-          software, and the download\ntect information traveling across                5\n                                          tions. The study estimated that            and use of unlicensed soft-\nthe Internet, and\n                                          14 million employees were under            ware;\n4) Archiving utilities and storage        continuous Internet or e-mail\n                                          monitoring using commercially          \xe2\x80\xa2 The creation, downloading,\nsystems to ensure that messages\n                                          available software.                        viewing, storage, copying, or\nare deleted or retained as appro-\n                                                                                     transmission of sexually ex-\npriate.2\n                                          Currently, practice is that Federal        plicit or sexually oriented\n                                          employees are permitted limited            materials,\nA recent American Management\nAssociation survey3 found that            personal use of the Internet if the\n                                                                                 \xe2\x80\xa2 The creation, downloading,\n\x0c                                                                                                                         Page 3\n\n\n\n\nInternet Use          (cont. from page 2)\n\n     viewing, storage, copying, or              ganization\xe2\x80\x99s Internet systems\n     transmission of materials re-              are to be used strictly as\n     lated to illegal gambling, ille-           business communication\n     gal weapons, terrorist activi-             tools;\n     ties, or any other illegal ac-\n     tivities otherwise prohibited.6        \xe2\x80\xa2   Review the written ePolicies\n                                                with every employee;\nPrivate industry also uses mod-\nels for Internet usage. The                 \xe2\x80\xa2   Incorporate the policy into\nePolicy Institute has developed                 employee handbooks;\na sample employee Internet us-\nage policy. Covered employees               \xe2\x80\xa2   Address ownership\nsign a statement that acknowl-                  issues and privacy\nedges that they have read and                   expectations; and                 NRC Management Directive 2.7\nagree to abide by the Internet\n                                                                                  contains the NRC\xe2\x80\x99s guidelines for\npolicy as consideration for con-            \xe2\x80\xa2   Require that each                 employees\xe2\x80\x99 personal use of\ntinued employment.                              employee reads,                   information technology.\n                                                signs, and dates a\nThe ePolicy Institute also devel-               hard copy of the pol-             The Directive outlines the conditions\noped Do\xe2\x80\x99s and Don\xe2\x80\x99ts to help                    icy.                              under which employees may and may\nemployers decide what is an ac-                                                   not use the agency\xe2\x80\x99s information\nceptable risk for the organiza-             The Don\xe2\x80\x99t list includes:              technology capabilities.\ntion.\n                                            \xe2\x80\xa2   Don\xe2\x80\x99t rely solely on\nThe Do list includes:                           e-mail to communi-\n                                                cate the ePolicies;\n\xe2\x80\xa2    Establish comprehensive,\n     written ePolicies that ad-             \xe2\x80\xa2   Don\xe2\x80\x99t expect em-\n     dress employee use of e-                   ployees to train\n     mail, the Internet, and soft-              themselves on the\n     ware;                                      policies.7\n\n\xe2\x80\xa2    Communicate that the or-\n\nSources of Information\n\n1.   E-mail and Internet usage policy statistics developed by industry analyst Jonathan Penn for the infoshop.com. (September\n     17, 2001).\n2.   Internet information provided by Jonathan Penn, industry analyst for the-infoshop.com Web site (September 17, 2001).\n3.   American Management Association\xe2\x80\x99s 2002 Survey on Workplace Monitoring and Surveillance (August 2001).\n4.   Workplace Surveillance Project of the Privacy Foundation, a research group based at the University of Denver, conducted\n     this study in July 2001.\n5.   This definition is offered by Robert Parker in an article for the Information Systems Control Journal (September 2001).\n6.   \xe2\x80\x9cLimited Personal Use\xe2\x80\x9d of Government office equipment recommended by the Federal CIO Council in May 1999.\n7.   These examples come from the ePolicy Handbook published by the ePolicy Institute in 2001.\n\x0cPage 4                                                                              OIG Information Digest\n\n\n\n\nNRC Employees and Contractors Using Computers to Download Pornography\nIn June 2002, OIG pub-                        It was determined that in      under investigation by OIG.\nlished a Fraud Bulletin                       some cases hundreds of\ndedicated to the use of                       hours were logged into         The time each individual was sus-\ninformation technology                        pornographic sites.            pended without pay varied from\nin the workplace. In                                                         10 to 45 days.\nthat issue, descriptions                       NRC employees and con-\nwere provided regard-                          tractors continue to use      The audit component of OIG has\ning the proper and improper use       NRC computers to view and              another initiative underway to de-\nof telephones, pagers, fax ma-        download material from porno-          termine the extent of Internet use\nchines, photocopiers, e-mail,         graphic sites. Subsequent to the       by NRC employees.\ncomputers, and the Internet.          publication of that audit report,\n                                      30 cases have been investigated        NRC contractors may not use\nOf particular note was the con-       resulting in 8 suspensions for a       Government computers for any\ncern that NRC employees were          total of 251 calendar days of lost     personal reasons, including to ac-\nusing the Internet to view sites of   time and lost salaries of approxi-     cess the Internet or to communi-\na pornographic nature. Manage-        mately $62,124. In addition,           cate via e-mail.\nment Directive 2.7 strictly prohib-   seven individuals either resigned\nits the use of NRC computers to       or were terminated rather than         It is important to remember that\nview or download this type of ma-     face administrative action. Three      NRC computers are NEVER to be\nterial.                               cases resulted in reimbursement        used for illicit or illegal purposes.\n                                      for time used on the computer by       To do so can place an employee\nOIG performed an audit in June        contractors, four cases are cur-       in the position of facing significant\n2001 of Internet usage over an        rently pending NRC management          disciplinary action.\n8-day period during that month.       action, and seven cases are still\n\n\nBeware of Travel Fraud (Article from the National Consumers League)\nThe prospect of getting away to a      Know exactly what\xe2\x80\x99s included.         specific company and that the\nwarm romantic island or visiting a     A \xe2\x80\x9cfree\xe2\x80\x9d or incredibly cheap trip     costs are higher than they would\nforeign country is extremely ap-       may have hidden costs. For ex-        be if you used your own travel\npealing. But what may seem to be       ample, the cruise may be free,        agent or made the arrangements\na bargain may in fact be a night-      but you have to pay to fly to the     yourself. Alternatively, the offer\nmare.                                  departure point and stay in a ho-     may be valid only if you bring a\nBe skeptical of offers for \xe2\x80\x9cfree\xe2\x80\x9d      tel at your own expense. Or you       companion along at full fare.\ntrips. Airlines and other              may have to endure a long, high-      Be aware of restrictions. Often\nwell-known companies                            pressure sales pitch for a   the best travel deals are available\nsometimes operate contests                      timeshare or travel club     only for off peak times, not during\nfor travel prizes. However,                     membership as part of        school vacations, holidays, or\nthere are also companies                        the trip.                    other popular\nthat offer \xe2\x80\x9cfree\xe2\x80\x9d trips to try to               Realize that the deal        travel dates. You\nlure people into buying their                   may not be as good as        may find it hard to\nproducts or services. It\xe2\x80\x99s                      you think. You may find      get the promised\nnever \xe2\x80\x9cfree\xe2\x80\x9d if you have to pay        that a travel offer requires you to   price for the dates\nsomething.                             make reservations through a           that you want to\n\x0c                                                                                                                Page 5\n\n\n\n\nTravel Fraud         (cont. from page 4)\n\n\ntravel or there may be no space            such as newspapers, books, and        self by paying with a credit card\navailable on those dates at all.           the Internet. You may be able to      so you can dispute the charges if\nConfirm the arrangements. If               get the trip you want for far less    the promises aren\xe2\x80\x99t kept.\ntransportation and hotel are in-           than the \xe2\x80\x9cbargain\xe2\x80\x9d price a\ncluded in the travel package, ask          company is offering.\nhow to contact those companies       Pay with a credit card.\nand confirm with them directly that  Fraudulent travel opera-\nthe reservations have been made.     tors take the money and\nDo your own travel research. It\xe2\x80\x99s run and even legitimate\neasy to get information from a local companies can suddenly\ntravel agent and other sources       go out of business. Protect your-\n\nOIG Audit Program\nRecently Completed Audits                  oversight can be improved, in-        Audits in Progress\n                                           cluding (1) guidance for inspec-\nAudit of NRC\xe2\x80\x99s Regulatory Over-            tion followup items, (2) operating    Internet Follow Up - The objec-\nsight of Special Nuclear Materials         plans, (3) information available      tive of this audit is to determine\n(OIG-03-A-15), May 23, 2003                to the public, and (4) documen-       how newly implemented controls\n                                           tation for refresher and continu-     affect use of the Internet.\nOIG found that NRC\xe2\x80\x99s current lev-          ing inspector training.\nels of oversight of licensees\xe2\x80\x99 ma-                                               Review of NRC's Personnel Se-\nterial control and accounting              Memorandum Report: Review             curity Program - The objective of\n(MC&A) activities do not provide           of NRC=s Purchase Order Proc-         this audit is to evaluate NRC\xe2\x80\x99s\nadequate assurance that                          essing (OIG-03-A-17)            access and clearance process\nall licensees properly con-                                                      for employees and contractors\ntrol and account for spe-                           The Division of Contracts    and whether the program is ef-\ncial nuclear material. Spe-                         and the Division of Finan-   fectively managed.\ncifically, NRC performs                             cial Services have non-\nlimited inspections of licen-                       integrated computer sys-     Audit of NRC's Contract Admini-\nsees\xe2\x80\x99 MC&A activities and                           tems and agency pro-         stration Practices - The objective\ncannot assure the reliability of the       gram offices have their own of-       of the audit is to review the econ-\nNuclear Materials Management               fice-specific invoice tracking sys-   omy, efficiency, and effective-\nand Safeguards System data.                tems, all of which require entry      ness of the management con-\n                                           of the same or similar informa-       trols included in the NRC's con-\nNRC\xe2\x80\x99s Oversight of Research and            tion. Both organizations are          tract administration program.\nTest Reactors (OIG-03-A-16),               currently working together to de-\nJune 5, 2003                               velop an E-Procurement system.        Audit of NRC's FY 2003 Finan-\n                                           Close intra-agency coordination       cial Statements - The objective\nThe OIG determined that NRC\xe2\x80\x99s              is needed to ensure that this ini-    of the audit is, in part, to evalu-\noversight of research and test re-         tiative, as well as process im-       ate internal controls, and review\nactors was meeting NRC\xe2\x80\x99s expec-            provements in the commercial          compliance with applicable laws\ntations, however, some aspects of          payments area, are successful.        and regulations.\n\x0cPage 6                                                                           OIG Information Digest\n\n\n\n\nThe Audit Program\nAudit of NRC's Protection of           Independent Auditor\xe2\x80\x99s Report          costs, which is failure to comply\nSafeguards Information - The                                                 with the requirements of the\nobjective of this audit is to deter-    Closeout Audit of GSE Power          Federal Acquisition Regulations\nmine whether                            Systems, Inc. (OIG-03-A-19)          (FAR) 52.215-2, Audit Re-\nNRC adequately                                                               cords\xe2\x80\x94Negotiation, which is in-\ndefines what con-                        This report reflects the results    corporated in the contract by ref-\nstitutes safe-                           of a review to determine the        erence. The audit also recom-\nguards informa-                          allowability and allocability of    mended disallowance of some\ntion, ensures its                        the direct and indirect costs       contract costs.\nprotection, and                          claimed in the closeout docu-\nprevents inappro-                        ments. The audit disclosed\npriate release to                      that GSE did not maintain suffi-\nunauthorized individuals.              cient reports to support contract\n\n\n OIG Investigative Program\n  Inappropriate Handling of an         As a result of the investigation,    was not excluded by NRC staff\n  Enforcement Action by Region         OIG determined that because          from participating in NRC en-\n  III                                  the licensee admitted violating      forcement proceedings because\n                                       NRC regulations pertaining to        no formal enforcement meetings\n  OIG conducted an investigation       prohibited employment discrimi-      took place. In addition, OIG\n  into several concerns about the      nation, NRC exercised enforce-       found that on October 3, 2002,\n  handling of an enforcement ac-       ment discretion and settled the      NRC issued a Confirmatory Or-\n  tion related to prohibited em-       matter prior to holding an en-       der to Exelon which confirmed\n  ployment discrimination by Ex-       forcement conference. OIG            the licensee\xe2\x80\x99s commitment to\n  elon Nuclear Generation Com-         learned that while settlement of     train its managers at all Exelon\n  pany, an NRC licensee. It was        an enforcement action prior to       plants concerning NRC require-\n  alleged that (1) NRC erred in                          holding an en-     ments related to maintaining a\n  settling the enforcement action                        forcement con-     safe work environment.\n  in that the action violated                            ference is un-\n  NRC\xe2\x80\x99s enforcement policy and                           usual, this ac-\n  (2) NRC ignored findings that                          tion was coor-\n  an Exelon manager deliber-                             dinated with\n  ately discriminated against an                         NRC\xe2\x80\x99s Office of\n  employee for engaging in a                             the General\n  protected activity. In addition,                       Counsel and\n  it was alleged that NRC con-         the Office of the Executive Di-\n  ducted closed meetings with          rector for Operations. Addition-\n  Exelon to discuss a settlement       ally, OIG found that the settle-\n  of NRC\xe2\x80\x99s enforcement action          ment did not violate NRC\xe2\x80\x99s En-\n  without the knowledge of the         forcement Policy, as the En-\n  employee\xe2\x80\x99s attorney and con-         forcement Policy is silent regard-\n  trary to promises made by            ing the timing of negotiated set-\n  NRC.                                 tlements. OIG also found that\n                                       the Exelon employee\xe2\x80\x99s attorney\n\x0cPage 7                                                                                  OIG Information DigestPage   7\n\n\n\n\nOIG Investigative Program           (cont. from page 6)\n\nFraud by NVT Involving NRC            fire sprinkler systems at NRC                   indictments against the NVT\nCustodial Contract                    headquarters buildings between                  project manager and NVT\n                                      February 2000 and January                       were subsequently dismissed\nOIG conducted an investigation        2001. These entries made it ap-                 in lieu of a civil settlement by\ninto information provided by a        pear that this safety equipment                 the U.S. Attorney\xe2\x80\x99s office.\nformer Nguyen Van Thanh Tech-         was tested, as required by the\nnologies (NVT) employee al-                             NRC contract,\nleging that NVT failed to                               when in fact\nmeet several contract re-                               such testing had\nquirements involving preven-                            not occurred.\ntive maintenance. NVT had\na 5-year building mainte-                              In March 2002,\nnance contract with NRC in                             the project man-\nthe amount of $5 million.                              ager for NVT\n                                      and the corporation were in-\nAs a result of the investigation,     dicted by a Federal Grand Jury\nOIG found that the NVT project        in the Southern District of Mary-\nmanager for the NRC contract          land on 12 counts of violation of\ninstructed the former NVT em-         Title 18 United States Code\nployee to falsify entries in gen-     (USC), Section 1001, False\nerator and fire pump log books        Statements, and 18 USC, Sec-\nfor the emergency lighting and        tion 2, Aiding and Abetting. The\n\n\n\n\n                                                                         Organization\n                                                          U.S. Nuclear Regulatory Commission\n                                                          Office of the Inspector General\n                                                          11545 Rockville Pike\n                                                          Rockville, MD 20851\n\n                                                          Hotline Number\xe2\x80\x94800-233-3497\n                                                          Fax - 301-415-5091\n\n\n           We\xe2\x80\x99re on the WEB!\n          Access the HOTLINE\n         Thru the NRC Website!\n\x0c"